A few things are important for the redirect to occur. Lets talk through the process so we are clear and you can appreciate what is going.... This is if you are using a sign cert. the goal in this is to get the user to 1.1.1.1 address. This is the virtual address and this address is what serves up the web page on the controller.

1. guest connects to your guest ssid

2. guest opens a browser and goes to yahoo.com

3. the client sends the DNS request for yahoo.com to the DNS server (Q#1: Is your DNS inside or outside for your guest)

4. The controller intercepts the dns query that is returned and hijacks it and replaces it with your virtual address 1.1.1.1 from the controller. Again, 1.1.1.1 is what deleivers the page to the guest.

5. If you dont have a signed cert on the controller, the user will get a 'accept this cert on the webpage'. The user accepts the cert and you are off to the races.

If you are using a signed cert, not a local one on the wlc, let me know as there are a few extra steps that happen which I can explain if needed.

This should be fairly simple you enable webauth from the controller tab then create the guest SSID then set the policy layer 2 none layer 3 web policy and set the web auth method to internal the default. All this is done but DNS is not working as yet the DSL router was not setup yet. I just wanted to test the authentication. I entered the IP address of the controller guest interface IP and then I get the redirect to 1.1.1.1 but from here I dont get the login screen displayed just page can not be displayed. So is then DNS related but the redirect is 1.1.1.1. No certs used just default settings. I should still het to the login page.

The controller is connected to Cisco layer 3 trunked all Vlan's allowed. Layer 2 vlan created for the Guest Vlan that is conneting the guest users to a DSL modem for the www traffic so they are not using the clients bandwith. The DSL has not been cabled in the vlan yet. The DHCP on the controller is setup for 10.0.0.0 range and default gateway and DNS is the DSL router. They only want the guest to access the internet there no other resources on the local. They want the lobby admin setup so the receptionist can create and manage these user for them when a geust needs access other wise I would have just gone for the WPA2 preshared key option.

For this issue, they are getting the web-page and after providing the credentials it is redirecting to the original page.

If there is no DNS available so how the host will resolve the URL IP in order to open the web-page?

This is why I suggested to check DNS.

From the link I posted above I quote:

...........

The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client connects to a WLAN configured for web authentication, the client obtains an IP address from the DHCP server. The user opens a web browser and enters a website address. The client then performs the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web authentication login page.

Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On Windows, choose Start > Run, enter CMD in order to open a command window, and do a “nslookup www.cisco.com" and see if the IP address comes back. ........

If you are using a URL for the virutal interface then lack of DNS will not show you the credentials page at the first place.

If no URL for virutal interface and you get auth page but after entering the credentials it does not successfully redirect one of the main reasons is DNS problem.

The web page cant not be displayed is before you enter the credentials. You dont even get the login page as explained I get the redirect to 1.1.1.1 but then page can not be displayed. Hope this makes sense now.

Sum this up.

User enters wepage gets the redirect to 1.1.1.1 then page can not be dispayed. No page to enter login credentials just page can not be displayed.

I think I need to visit a doctor! I read your post twice before and what i understood is that you got the auth page and "page can not be displaied" appears after entering the credentials.

I now went to read it and it is metnioned explicitly that it shows "page can not be displaied" before you see the page!! I don't know what is wrong with me.

On the other hand, the DNS is still my primary suspect.

quoting again:

The user opens a web browser and enters a website address. The client then performs the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web authentication login page

From the mentioned process, if there is no DNS resolution then there will be no HTTP get message and hence it is normal not to get the page. The WLC does not intercept the dns reply to the client, however, it intercepts the HTTP GET message when the client tries to open the page.

When internet/DNS are ready please test and let us know.

I will be very interested if it is not DNS to go deep to discover what the issue is.